authelia/SECURITY.md
James Elliott 6b3246a6d3
docs: refactor and update security (#1944)
Refactors the secrurity documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it.
2021-06-01 14:11:33 +10:00

49 lines
2.5 KiB
Markdown

# Security
Authelia takes security very seriously. We follow the rule of
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via
[Matrix](#matrix), [Discord](#discord), or [email](#email) as described in the [contact options](#contact-options)
below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
For more information about [security](https://www.authelia.com/docs/security/) related matters, please read
[the documentation](https://www.authelia.com/docs/security/).
## Contact Options
### Matrix
Join the [Matrix Room](https://riot.im/app/#/room/#authelia:matrix.org) and locate one of the maintainers.
You can identify them as they are the room administrators. Alternatively you can just ask in the channel for one of the
maintainers. Once you've made contact we ask you privately message the maintainer to communicate the vulnerability.
### Discord
Join the [Discord Server](https://discord.authelia.com) and message the
[#support](https://discord.com/channels/707844280412012608/707844280412012612) chat which links to [Matrix](#matrix)
and contact a maintainer.
### Email
You can contact any of the maintainers for security vulnerability related issues by emailing
[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability
disclosure related matters. If you need to contact us for any other reason please use
[team@authelia.com](mailto:team@authelia.com) or another [contact option](#contact-options).
## Credit
Users who report bugs will optionally be creditted for the discovery. Both in the
[security advisory](https://github.com/authelia/authelia/security/advisories) and in our all contributors configuration.
## Process
1. User privately reports a potential vulnerability.
2. The maintainers review the report and ascertain if additional information is required.
3. The maintainers reproduce the bug.
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
5. The fix is confirmed to resolve the vulnerability.
6. The fix is released.
7. The [security advisory](https://github.com/authelia/authelia/security/advisories) is published sometime after users
have had a chance to update.